2020 Set a Record for New Linux Malware Families

Written by Intezer

    Share article
    FacebookTwitterLinkedInRedditCopy Link

    Top Blogs

    Intezer’s 2021 X-Force Threat Intel Index Highlights

    It was a lot of fun collaborating with IBM on their 2021 X-Force Threat Intelligence Index, highlighting how cyberattacks evolved in 2020 as threat actors sought to profit from the COVID-19 pandemic.

    In 2019, banking trojans and ransomware were the top innovators in malware code evolution. This year our contributions to the report mainly focused on the Linux threat ecosystem which is fast emerging, evidenced by 56 new malware families discovered in 2020—its highest level ever. We won’t give it all away but below is a preview.

    Get your copy of the 2021 X-Force Threat Intelligence Index

    Get ahead of the latest Linux cloud threats. Try the free Intezer Protect community edition.

    40% Increase in New Linux Malware Families in 2020

    The number of new Linux-related malware families discovered in 2020 was 56, far more than the level of innovation found in other threat types. This represented a 40% increase from 2019-2020, with 500% growth from 2010 to 2020.

    Investment in Open-Source Malware Threatens Cloud Environments

    Threat actors are innovating their malware, particularly malware that targets Linux, the open-source code that supports business-critical cloud infrastructure and data storage.

    In the wake of the disruption caused by COVID-19, many businesses accelerated their cloud adoption. A recent Gartner survey found that almost 70% of organizations using cloud services today plan to increase their cloud spending. With Linux currently powering 90% of cloud workloads and a 500% increase in Linux-related malware families in the past decade, cloud environments are becoming a prime target for threat actors.

    Intezer and X-Force have observed top threat actors—including Carbanak, APT28 and APT29—turning to open-source malware and creating Linux versions of their traditional malware. Ransomware strains such as RansomEXX and SFile are turning up with Linux versions as well.

    Linux Cryptojacking

    Cybercriminals are investing heavily in creating new Linux cryptomining malware, suggesting that these criminals aim to exploit the power of cloud computing’s processing power to maliciously obtain cryptocurrency. Attackers are evading classic detection methods, not coincidentally around the time Bitcoin and cryptocurrency started to soar.

    We observed more than 13% new, previously unobserved code in Linux cryptominining malware in 2020. Make sure you have adequate threat detection to swat them away in runtime.

    Malware Written in Golang

    We observed a 500% increase in Go-written malware in the first six months of 2020. Both nation-state backed and non-nation state threat actors are adopting Go as the programming language of choice to develop cross-platform malware that target both Windows and Linux systems.

    It’s likely that attacks from Go malware against cloud environments will increase as more valuable assets are moved to the cloud. Using the security features provided by the hosting providers will not be enough and specialized runtime protection solutions like Intezer Protect will be needed.

    How Intezer Can Help

    Linux operating systems are the backbone of cloud and hybrid cloud infrastructure. With cloud services enabling organizations with greater flexibility and efficiency for their data, the demand for cloud computing is growing every year. Cybercriminals are taking note, and recognize that cloud environments present opportunities for them as well. In particular, they are investing more time and effort into creating malware tailored to affect Linux systems and cloud environments.

    Cloud security demands greater vigilance. You can drastically reduce the likelihood of getting attacked by doing the basics like fixing known vulnerabilities. At the same time, it’s impossible to eliminate all software vulnerabilities. Not every vulnerability is known, not every software has a fix, and patching those that can be fixed takes time.

    Add to this the existence of vulnerable third-party software and Living off the Land (LotL) attacks, which is why you also need strong threat detection. When you get attacked in runtime, where actual attacks occur, you need to be able to detect it.

    Intezer Protect defends all types of compute resources—including VMs, containers and Kubernetes—against the latest Linux threats in runtime. Try our free community edition


    Count on Intezer’s Autonomous SOC solution to handle the security operations grunt work.

    Generic filters
    Exact matches only
    Search in title
    Search in content
    Search in excerpt